Skip to main content

Linux CVE-2026-23361

| EUVDEUVD-2026-15340 HIGH
Out-of-bounds Write (CWE-787)
2026-03-25 Linux GHSA-7vjw-7j3v-c8gx
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.2 MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 24, 2026 - 18:52 vuln.today
cvss_changed
CVSS changed
Apr 24, 2026 - 18:52 NVD
7.8 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15340
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry

Endpoint drivers use dw_pcie_ep_raise_msix_irq() to raise an MSI-X interrupt to the host using a writel(), which generates a PCI posted write transaction. There's no completion for posted writes, so the writel() may return before the PCI write completes. dw_pcie_ep_raise_msix_irq() also unmaps the outbound ATU entry used for the PCI write, so the write races with the unmap.

If the PCI write loses the race with the ATU unmap, the write may corrupt host memory or cause IOMMU errors, e.g., these when running fio with a larger queue depth against nvmet-pci-epf:

arm-smmu-v3 fc900000.iommu: 0x0000010000000010 arm-smmu-v3 fc900000.iommu: 0x0000020000000000 arm-smmu-v3 fc900000.iommu: 0x000000090000f040 arm-smmu-v3 fc900000.iommu: 0x0000000000000000 arm-smmu-v3 fc900000.iommu: event: F_TRANSLATION client: 0000:01:00.0 sid: 0x100 ssid: 0x0 iova: 0x90000f040 ipa: 0x0 arm-smmu-v3 fc900000.iommu: unpriv data write s1 "Input address caused fault" stag: 0x0

Flush the write by performing a readl() of the same address to ensure that the write has reached the destination before the ATU entry is unmapped.

The same problem was solved for dw_pcie_ep_raise_msi_irq() in commit 8719c64e76bf ("PCI: dwc: ep: Cache MSI outbound iATU mapping"), but there it was solved by dedicating an outbound iATU only for MSI. We can't do the same for MSI-X because each vector can have a different msg_addr and the msg_addr may be changed while the vector is masked.

[bhelgaas: commit log]

AnalysisAI

This vulnerability is a race condition in the Linux kernel's PCI Designware endpoint driver where MSI-X interrupt writes to the host can complete after the corresponding Address Translation Unit (ATU) entry is unmapped, potentially corrupting host memory or triggering IOMMU errors. The vulnerability affects all Linux kernel versions with the vulnerable code path in the PCI DWC endpoint implementation (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), specifically impacting systems using PCI endpoint devices with MSI-X interrupt support such as NVMe-PCI endpoint function drivers. An attacker with the ability to trigger high-frequency MSI-X interrupts from a malicious endpoint device could exploit this race condition to cause denial of service through IOMMU faults or potentially corrupt host memory.

Technical ContextAI

The vulnerability exists in the Designware PCI controller's endpoint mode implementation, specifically in the dw_pcie_ep_raise_msix_irq() function responsible for raising MSI-X interrupts from endpoint devices to the host. PCI posted write transactions do not guarantee completion before the issuing instruction returns, creating a window where a writel() operation may still be in flight when the driver unmaps the outbound ATU entry used to translate the write. The root cause is a synchronization issue between the PCI write operation and the ATU resource cleanup, classified as improper synchronization or timing-dependent vulnerability. The affected CPE (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) indicates all Linux kernel versions are potentially vulnerable until patched. The fix involves adding a readl() barrier after the writel() to ensure the posted write completes before ATU unmap, similar to the approach previously applied to MSI handling in commit 8719c64e76bf.

RemediationAI

Apply the latest Linux kernel patch from the stable branches containing the fix (references: https://git.kernel.org/stable/c/a7afb8f810c04845fdfc58c57d9cf0cc5f23ced0, https://git.kernel.org/stable/c/6f60a783860c77b309f7d81003b6a0c73feca49e, https://git.kernel.org/stable/c/eaa6a56801ddd2d9b4980f19e7fe002b00994804, https://git.kernel.org/stable/c/c22533c66ccae10511ad6a7afc34bb26c47577e3). Immediately upgrade to a patched kernel version for any system utilizing PCI endpoint functionality. If immediate patching is not feasible, reduce MSI-X interrupt frequency or queue depth to lower the probability of the race condition triggering. For systems running nvmet-pci-epf or similar endpoint drivers, prioritize kernel updates as these workloads are most likely to trigger the vulnerability through high-frequency interrupt generation.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23361 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy